1 / 10

Cyber Threat Intelligence Sharing Standards-based Repository

Cyber Threat Intelligence Sharing Standards-based Repository. November 14, 2014. [Classification]. Cyber Intelligence Sharing. Sharing is Essential to the Industry and Core to the FS-ISAC Intelligence sharing is the primary method of: Detecting industry targeting

leroy-mcdonald
Download Presentation

Cyber Threat Intelligence Sharing Standards-based Repository

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cyber Threat Intelligence SharingStandards-based Repository November 14, 2014 [Classification]

  2. Cyber Intelligence Sharing • Sharing is Essential to the Industry and Core to the FS-ISAC • Intelligence sharing is the primary method of: • Detecting industry targeting • Detecting institution targeting • Identifying new Techniques, Tactics and Procedures • Locating Advanced Persistent Threats • Issues Today with Sharing • Today the industry processes very little of the intelligence it receives • Manual, Time Consuming, Costly • Practicing cost avoidance • Industry average of 7 man hours to process a single intelligence document • Only a fraction of the documents are processed • Manually processing the entire CISCP document would cost over $10 million per Financial Institution Bad People Bad Things Bad Events Threat Intelligence

  3. Cyber Intelligence Sharing • Solution • Let machines do machine work – process all intelligence at wire speed • Use standards whenever possible to support Machine-to-Machine (M2M) • DHS Sponsored Mitre standards, STIX & TAXII • Make intelligence more accessible to those with less resources • Small/ Medium Member Institutions • Little security resources available • Drive adoption through high-level service & ease of use for all types of member institutions • Innovate - Incrementally increase adoption, fidelity, and automation More on STIX Standards Right-click to open PDF

  4. Today’s Threat Intelligence • Detail with Initial Cyber Intel Repository Early adopters integrate with the repository, sighting same malicious activity Although still unclear, there is a level of automation IP Address: 172.198.1.1 Member #2We also see this!! IP Address: 172.198.1.1 We just got pwned Manual Sharing – You can only process a handful threat indicators The threat landscape is opaque

  5. Next Version of Cyber Intel Repository Member #1 IP Address: 172.198.1.1 Port 80 Sighting 8/5/18: Member #5 Sighting 8/8/18: Member #3 IP Address: 172.198.1.1 Port 80 Member #2We also see this!! Better capabilities with bi-directional machine-to-machine support Visibility and confirmation of the threat increases

  6. Next Year IP Address: 172.198.1.1 Port 80 User-Agent: Foo Get Vars: fun=2 Actor: Abe Lincoln Alias: L1c0lN Campaign: Occupy Whitehouse Significant portion of large financial institutions share their threats Detail of malicious activity and actor becomes clearer

  7. Security Standards Proliferation IP Address: 172.198.1.1 Port 80 User-Agent: Foo Get Vars: fun=2 Actor: Abe Lincoln Alias: L1c0lN Campaign: Occupy Whitehouse Multiple industries utilizing repositories sharing detailed sightings A clear picture of many malicious actors, activities, and threats

  8. Logical Solution One firm’s incident is another firm’s defense • Federation of repositories serve as community hubs • Detection of a threat, instantly shared to trusted members • Cost to adversaries increased; cost to firms decreased Organization A 1 Detect a Threat 2 Enrich Threat Data Filter Policy for Sharing Machine-to-Machine API ISAC Repository 3 Store, Maintain Trust, Build Confidence in Threat Data Machine-to-Machine API 4 Consume & Analyze ISAC – Information Sharing Analysis Center FI – Financial Institution US-CERT – US Computer Emergency Response Team 5 Actionable Intel = Proactive Defense Many Other Organizations

  9. Benefits • Save Time  Lower Costs  Reduce Risk • One Firm’s Incident/ Exploit becomes Another’s Control/ Defense • Less time & effort needed to: • Aggregate, Store, Understand Threat Data • Enrich/ Increase Fidelity of Threat Data • Communicate Threat Data • Action to Defend or Mitigate • Security analysts would focus on analysis instead of machine work • Reinvest time to improve risk posture • Improving analytics of threats, linking TTPs to indicators, identifying new tool kits • Become more pre-emptive, breaking the kill-chain earlier • Better intelligence  better defense  increases cost of malicious activity Moving to the Left of the Hack Eliminates Threats Before Being Compromised

  10. Where We are Today • Active working group, multiple meetings per month, interest and adoption growing across multiple industries and countries • Working closely with DHS, US-CERT, and Mitre to create and align intelligence sharing standards • Launched initial Repository– more coming • Version 1: released in May • First standards based repository, first TAXII implementation • Tracking 37,000 Indicators • Version 2: release in Fall 2013 • Full STIX backend, supporting all STIX object types • Bi-directional TAXII support • Visit our webpage for more information • www.fsisac.com/CyberIntelligenceRepository Right-click to open PDF

More Related